Firewall and SELinux

Firewall:

[1] It is possible to show the Service Status of Firewall as follows. (enabled by default)

[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2021-09-24 03:29:51 +03; 19h ago
     Docs: man:firewalld(1)
 Main PID: 703 (firewalld)
    Tasks: 4 (limit: 4915)
   Memory: 42.9M
   CGroup: /system.slice/firewalld.service
           └─703 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

Sep 24 03:29:49 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon.
Sep 24 03:29:51 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.

[2] You can use firewall-cmd only with firewalld service enabled. To list all records:

[root@localhost ~]# firewall-cmd --list-all
public (active)          # active zone
  target: default
  icmp-block-inversion: no
  interfaces: enp3s0
  sources:
  services: dhcpv6-client mdns ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

[3] List all zones.

[root@localhost ~]# firewall-cmd --list-all-zones
FutureServer
  target: default
...

FutureWorkstation
  target: default
...

block
  target: %%REJECT%%
...

dmz
  target: default
...

drop
  target: DROP
...

external
  target: default
...

home
  target: default
...

internal
  target: default
...

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp3s0
  sources:
  services: dhcpv6-client mdns ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

trusted
  target: ACCEPT
...

work
  target: default
...

[4] Set default zone.

[root@localhost ~]# firewall-cmd --set-default-zone public
success
[root@localhost ~]# firewall-cmd --reload
success

[5] Permanently allow access to a service. (If --permanent is not added, it will be deleted on the next reload of the rules.)

[root@localhost ~]# firewall-cmd --zone=public --permanent --add-service=http
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-service
dhcpv6-client mdns ssh http

[6] Remove access to a service.

[root@localhost ~]# firewall-cmd --zone=public --permanent --remove-service=http
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-service
dhcpv6-client mdns ssh

[7] Permanently allow access to a port.

[root@localhost ~]# firewall-cmd --zone=public --permanent --add-port=2222/tcp
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-port
2222/tcp

[8] Remove access to a port.

[root@localhost ~]# firewall-cmd --zone=public --permanent --remove-port=2222/tcp
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-port
 

SELinux:

[1] It's possible to show Status of SELinux (Security-Enhanced Linux) like follows. (enabled by default)

[root@localhost ~]# getenforce
Enforcing

[2] If SELinux function does not need for you because of some reasons like that your server is running only in Local safety Network or others, it's possbile to disable it like follows.

[root@localhost ~]# sed -i "s|SELINUX=enforcing|SELINUX=disabled|" /etc/selinux/config
[root@localhost ~]# cat /etc/selinux/config
...
SELINUX=disabled
...
[root@localhost ~]# reboot

[3] Activating SELinux.

[root@localhost ~]# sed -i "s|SELINUX=disabled|SELINUX=enforcing|" /etc/selinux/config
[root@localhost ~]# touch /.autorelabel    # SELinux relabeling is set on the next system boot.
[root@localhost ~]# reboot

[4] Disable SELinux at runtime.

[root@localhost ~]# setenforce 0